On the go: Two of the UK’s highest-profile pension schemes have urged fiduciaries to pay more attention to the impact of cyber breaches on the performance of companies they invest in.
Nest, the defined contribution master trust with assets of almost £8bn, and RPMI Railpen, which runs the circa £30bn defined benefit Railways Pension Scheme, said in a joint report that investors should be aware it is a question of “when, not if” companies would be targeted by hackers.
Regulatory guidance is available to trustees seeking to protect their own schemes against online attacks, but given the regular occurrences of breaches the two schemes said this should also feature as an investment concern.
One-third of businesses identified security breaches or attacks in the past year alone, according to a government survey conducted this year. Of those, 48 per cent identified at least one attack every month.
In the report, Nest and Railpen pointed to high-profile hacks as evidence of how cyber risks can infringe upon shareholder value.
For example, when customer bank details were stolen from 380,000 British Airways customers in September 2018, the company was fined £183m with the possibility of a £500m lawsuit on top.
A breach at social media giant Facebook affecting 87m people wiped 20 per cent from the company’s market value overnight.
“Despite the risk of cyber-attacks rising up the agenda, many companies are guarded on the subject – we’re finding little transparency on something which globally affects companies,” said Diandra Soobiah, Nest’s head of responsible investment. “Companies don’t want to say too much about what they’re doing on cyber security management for fear of making themselves a target.”
One problem investors face when taking action on cyber risk is that disclosures on the quality of a company’s preparation for hacks are hard to come by and difficult to compare.
“In comparison, on environmental policy there’s lots of standards and reporting frameworks which companies can adhere to (eg. TCFD),” said Ms Soobiah. “But there’s no equivalent which Nest can look to see if companies take the risk of cyber-attacks seriously.”
However, even passive investors can take steps to insulate their portfolios, according to the report. It recommended identifying at-risk companies based on factors such as the quantity of data held, the systemic risk they pose and the extent of legacy systems' use in conglomerates.
It also found that indicators of good cyber security include a strong corporate culture and attitude to training, a board using sensible risk metrics, increasing IT spend, adherence to regulatory standards and a strong relationship between the board and IT team.
